Weston Steimel

Thanks for another great contribution @cpendery! I do think having `beam` as the language is going to be confusing. My suggestion would be to break it up into a separate...

> With splitting the languages into Elixir and Erlang, when we see a purl for the Hex pkg:hex/ package manager (supports both languages), I wouldn't know what language to resolve...

I believe you have to do `img unpack -o hello hello_img` See #149 It has to do with how the go flag package works

Here is the PyPA one for `ctx` for reference: https://github.com/pypa/advisory-database/blob/main/vulns/ctx/PYSEC-2022-199.yaml

Ah, I see https://github.com/advisories/GHSA-4g82-3jcr-q52w just got added for `ctx`. Thanks!

I have been wondering this as well. For instance the [Rust Advisory Database](https://github.com/rustsec/advisory-db/tree/main/rust) has reports for vulnerabilities in the rust toolchain itself separately from rust crates. It feels like this...

I think we should just be able to populate the withdrawn date? I believe we did it in the past for a loguru one. I can try to find it...

This is because there aren't yet any CPEs on the NVD entry. The automated process currently needs those in order to determine version ranges. It does also attempt to look...

It would be really useful if the triage tooling pulled in the GHSA data and used that if available over the NVD stuff. I think I may have filed an...

https://github.com/google/osv/issues/254